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DETAILED ACTION 

1 . This office action is in response to Applicant's amendment filed on January 3, 2008. 
Claims 1, 2 and 32 have been amended. New claim 36 is added. Claims 1, 3, 5-8 24-36 are 
pending. 

Response to Arguments 

2. Applicant's arguments filed January 3, 2008 have been fully considered but they are not 
persuasive. In response to applicants arguments the following comments are made: 

The applicant argued that neither Flurry nor Mishra, alone or in combination, disclose 
teach, or suggest each of the limitations in claim 1 . The applicant further argued that in Flurry, 
the alleged "agent" generates the alleged "session-ticket ID" and therefore, the alleged "agent" 
does not intercept the session ticket ID as required by claim 1 . The examiner respectfully 
disagrees. Flurry discloses the user directs a browser application to a web page that is available 
from the ASP aggregator service, which causes a web page request to be sent to the ASP 
aggregator service in an HTTP request message. The ASP aggregator determines that the client 
has not yet been authenticated and generates an authentication challenge page, i.e. login page, 
after which the logon page is sent to the client. The user then enters authentication data, after the 
ASP aggregator service has authenticated the user, the ASP aggregator service generates an 
aggregator token. The client automatically stores the aggregator token and subsequently sent 
along with request from the client. An application request message is returned to the ASP 
aggregator, which then determines the selected application from the request, (page 7, pp. 70-75) 
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A client device interacts with server 504 that supports an ASP or an aggregated application, in 
response to user actions, an application can generate response, and the requests and responses are 
depicted as communication traffic. During the initial authentication process, an aggregator token 
would be stored at the client and then subsequently sent along with requests from the client when 
appropriate. At some later point in time, the user's session will expire, the user may attempt to 
access an aggregated application using a bookmarked URL, which causes the user's browser 
application to send a request to the specified URL (i.e. application request with Aggregator 
Token), and the aggregator token is automatically sent along, with the request. After the 
aggregated application receives the request, it will determine that the request is not accompanied 
by a valid application authentication token. Rather than return an error to the user, the aggregator 
token is examined at the ASP aggregator service, (page 8, pp. 76-80) In addition Mishra teaches 
an ASP aggregator that provides its users with seamless access to all the ASP's as part of its 
trusted relationship, (page 7-8; 3. S2ML UseCase Scenarios) 



Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 
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2. Claims 1, 3, 5-8 and 24-35 are rejected under 35 U.S.C. 103(a) as being unpatentable 

over Flurry et al. U.S. Publication Number 2003/0061512 (hereinafter Flurry) in view of Mishra 

et al. ("Security Services Markup Language", January 8, 2001 (hereinafter Mishra) 

[Note: "XML Key Management Specification (XKMS)", W3C Note 30, March 2001, pages 28- 

45, is used to further elaborate on the teaching of XML signature and HMAC taught by Mishra 

reference] 

As per claims 1, 7, 26 and 32: 

Flurry teaches a method comprising intercepting at an agent a web service 
customer access to a first web service, the agent residing between the web service 
customer and the first web service and between the web service customer and a 
second web service; (page 7, paragraph 70; ASP Aggregator service 404) collecting at 
the agent one or more credentials of the web service customer; (page 7, paragraph 71 ; 
The ASP Aggregator generates an authentication challenge, i.e., logon page...) 
determining at the agent whether the web service customer is authenticated and 
authorized; (Page 7, paragraph 72; ASP Aggregator service has authenticated the user) 
if the web service customer is authenticated and authorized, at the agent: granting the 
first request; initiating creation of a session and a session ticket; obtaining a session 
ticket ID for the session ticket; (page 7, paragraphs 73-75; after the ASP aggregator 
service has authenticated the user... the ASP aggregator then generates an application 
authentication token that is appropriate for the user and the selected application. The 
client's request is modified to include the application authentication token... and directed 
to a specific URL) intercepting a second request to grant the web service customer 
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access to the second web service, the second request comprising the assertion and a 
private key; (page 5, paragraph 54- page 6, paragraph 60; ASP aggregator may use a 
variety of security technique... message authentication code (MAC), ...PKCS; page 9, 
paragraphs 88-90; since the client has been previously authenticated ...the ASP 
aggregator would immediately generate the application authentication token that is 
needed with respect to the second aggregated application. After the second aggregated 
application is received and verified, the user may interact with the second aggregated 
application) and if the private key matches the public key in the assertion, grant the 
second request without reauthenticating or reauthorizing the web service customer, 
(page 9, paragraphs 88-90; since the client has been previously authenticated ...the 
ASP aggregator would immediately generate the application authentication token that is 
needed with respect to the second aggregated application. After the second aggregated 
application is received and verified, the user may interact with the second aggregated 
application) Flurry does not explicitly disclose encrypting the session ticket ID and a 
public key into an assertion and matching a private key with the public key in the 
assertion. Mishra in analogues art, however, discloses encrypting the session ticket ID 
and a public key into an assertion and matching a private key with the public key in the 
assertion, (page 11,4. Architecture; ...assertions must e signed using the framework 
described in the [XML-SIG] specification... supports both using secret-key (for example, 
HMAC) and public-key signing; page 31 MIME Binding) Therefore, it would have been 
obvious to one ordinary skill in the art at the time invention was made to modify the 
method disclosed by Flurry with Mishra in order to provide security services for 
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assertions the may travel across the Internet and be scrutinized and checked for validity 
far from the point of origin, (page 1 1 ; Mishra) 

As per claims 3, 8 and 27: 

The combination of Flurry and Mishra teaches all the subject matter as discussed above. 
In addition, Flurry further discloses a method wherein the assertion comprises a Security 
Assertions Markup Language (SAML) assertion, (page 3, paragraph 34) 
As per claims 5 and 28: 

The combination of Flurry and Mishra teaches all the subject matter as discussed above. 
In addition, Flurry further a method wherein the agent comprises an Extensible Markup 
Language (XML) agent, (page 3, paragraph 34) 
As per claims 6 and 29: 

The combination of Flurry and Mishra teaches all the subject matter as discussed above. 
In addition, Flurry further a method wherein the procssors are further operable to determine 
whether the web service customer is authenticated and authorized comprises comparing the web 
service customer with a database containing authentication and authorization data, (page 7, 
paragraph 72) 
As per claims 24 and 30: 

The combination of Flurry and Mishra teaches all the subject matter as discussed above. 
In addition, Flurry further a method wherein the first request and the second request both 
originate at the web service customer; and 

the method further comprising communicating the assertion to the web service customer to 
enable the web service customer to access the second web service without reauthentication or 
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reauthorization after the web service customer accesses the first web service, (page 7, paragraph 
71; page 9, paragraphs 88-90) 
As per claims 25, 31 and 35: 

The combination of Mishra and Hallam-Baker teaches all the subject matter as discussed 
above. In addition, Flurry further discloses a method wherein the first request originates at the 
web service customer and the second request originates at the first web service; and the method 
further comprising communicating the assertion to the first web service to enable the web service 
customer to access the second web service without reauthentication or reauthorization after the 
web service customer accesses the first web service, (page 7, paragraph 71; page 9, paragraphs 
88-90) 

As per claim 33: 

The combination of Mishra and Hallam-Baker teaches all the subject matter as discussed 
above. In addition, Mishra further discloses a method comprising at the agent, placing the 
assertion into a header; sending the assertion to the first web service; returning the assertion to 
the web service consumer, (page 7, 3 S2ML Use Case Senarios; assertions can travel with the 
user in various ways. . .http headers) 
As per claim 34: 

The combination of Mishra and Hallam-Baker teaches all the subject matter as discussed 
above. In addition, Mishra further discloses a method wherein the second request comprises an 
XML document containing the assertion; and wherein the web service customer has signed the 
XML document with the private key. (page 11,4. Architecture) 
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3. Claim 36 is rejected under 35 U.S.C. 103(a) as being unpatentable over Flurry et al. U.S. 
Publication Number 2003/00615 12 (hereinafter Flurry) in view of Mishra et al.("Security 
Services Markup Language", January 8, 2001 (hereinafter Mishra) in view of Woods et al. 
(hereinafter Woods) US 6,609,198. 

The combination of Mishra and Hallam-Baker teaches all the subject matter as 
discussed above. Both references do not explicitly disclose that wherein the second 
request is intercepted at the agent before the second web service, (col. 7, line 36-col. 9, 
line 51) Therefore, it would have been obvious to one ordinary skill in the art at the time 
invention was made to modify the method disclosed by Flurry and Mishra with Woods in 
order to provide a single sign-on for multiple information resources. (Abstract; Woods) 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SHEW A YE GELAGAY whose telephone number is (571)272- 
4219. The examiner can normally be reached on 8:00 am to 5:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Shewaye Gelagay 
/S.G./ 

Examiner, Art Unit 2137 



/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2137 



